Wireless Access

Reply
Occasional Contributor II
Posts: 40
Registered: ‎01-05-2015

AP 105 cannot talk to the controller 620 when go through site to site VPN( double NAT, 2sits same IP

Hi,

 

We have 3pcs  AP 105 ,a few pcs remote AP and one controller 620. Previously, we installed the controller and 2 AP 105 in the same Office LAN, now we move the controller to the data center.  In order to maintain the current ip addresses, we use doulbe NAT on both site firewalls, and create a site to site VPN.   Now both sites use the ip address 172.16.1.0x/24 , and office lan nat to 172.16.10.x,/24 data center lan nat to 172.16.20.x/24.  So the ip address of controller in data center is 172.16.1.10,  On APs in office ,we set the master controller ip address to 172.16.20.10, the AP in office can connect to the controller (site to site vpn) and registered on the controller, but the LEDs (Ethernet, Wirelesss) on the AP shows "RED".  And the client pc can see the SSID, but cannot get the IP address from dhcp server ( on controller). Pls advise what are the possible the cause. The "RED" LED means "GRE" tunnel not working fine ,right?

 

Thanks a lot in advance. 

Guru Elite
Posts: 21,037
Registered: ‎03-29-2007

Re: AP 105 cannot talk to the controller 620 when go through site to site VPN( double NAT, 2sits sam

Campus Access points in general will not work if there is a NAT boundary between the access points and the controller.  This is because of GRE.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 40
Registered: ‎01-05-2015

Re: AP 105 cannot talk to the controller 620 when go through site to site VPN( double NAT, 2sits sam

Thanks for so fast reply.  

So can we just remove one NAT to let it work? I mean just use normal site to site vpn, it will work fine for AP 105?  office lan 172.16.1.x  (AP 172.16.1.10), data center 192.168.1.x  (controller 192.168.1.2)

 

regards

 

 

Guru Elite
Posts: 21,037
Registered: ‎03-29-2007

Re: AP 105 cannot talk to the controller 620 when go through site to site VPN( double NAT, 2sits sam

Removing NAT increases possibility that it will work.  If you are using site to site VPN, you might have to lower the MTU in the AP system profile to maybe 1100 to make it work.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 40
Registered: ‎01-05-2015

Re: AP 105 cannot talk to the controller 620 when go through site to site VPN( double NAT, 2sits sam

Besides to change the ip address of master controller on AP and lower the MTU, is there any additional configuration requirement for campus AP go through site to site VPN? 

 

Thanks

Guru Elite
Posts: 21,037
Registered: ‎03-29-2007

Re: AP 105 cannot talk to the controller 620 when go through site to site VPN( double NAT, 2sits sam

Removing the Nat is the key. You should only consider lowering the MTU after that if the access points do not come up on the controller.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 40
Registered: ‎01-05-2015

Re: AP 105 cannot talk to the controller 620 when go through site to site VPN( double NAT, 2sits sam

thanks a lot for your kind reply. we will try it

Occasional Contributor II
Posts: 40
Registered: ‎01-05-2015

Re: AP 105 cannot talk to the controller 620 when go through site to site VPN( double NAT, 2sits sam

Hi, one more question.  the GRE tunnel need to be configured on the controller manually? or the AP will auto use initial GRE tunnel with the controller? Thanks

Occasional Contributor II
Posts: 40
Registered: ‎01-05-2015

Re: AP 105 cannot talk to the controller 620 when go through site to site VPN( double NAT, 2sits sam

Hi, one more question.  the GRE tunnel need to be configured on the controller manually? or the AP will auto use initial GRE tunnel with the controller? Thanks

MVP
Posts: 288
Registered: ‎08-27-2012

Re: AP 105 cannot talk to the controller 620 when go through site to site VPN( double NAT, 2sits sam

Once you provision the AP under AP Installation the controller automatically initiates the GRE tunnel to the AP. There is no need to build a manual GRE tunnel.

ACDX #419 | ACMP |
Search Airheads
Showing results for 
Search instead for 
Did you mean: